Search Results (9419 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-7273 1 Kiteworks 1 Owncloud 2026-04-15 6.8 Medium
Cross site request forgery in Kiteworks OwnCloud allows an unauthenticated attacker to forge requests. If a request has no Authorization header, it is created with an empty string as value by a rewrite rule. The CSRF check is done by comparing the header value to null, meaning that the existing CSRF check is bypassed in this case. An attacker can, for example, create a new administrator account if the request is executed in the browser of an authenticated victim.
CVE-2024-2970 1 Wordpress 1 Wordpress 2026-04-15 4.3 Medium
The News Wall plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the nwap_newslist_page() function. This makes it possible for unauthenticated attackers to update the plugin's settings and modify news lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2020-9322 1 Statamic 1 Statamic 2026-04-15 8.8 High
The /users endpoint in Statamic Core before 2.11.8 allows XSS to add an administrator user. This can be exploited via CSRF. Stored XSS can occur via a JavaScript payload in a username during account registration. Reflected XSS can occur via the /users PATH_INFO.
CVE-2023-47845 1 Wordpress 1 Wordpress 2026-04-15 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Lim Kai Yang Grab & Save.This issue affects Grab & Save: from n/a through 1.0.4.
CVE-2025-5185 2026-04-15 4.3 Medium
A vulnerability was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component.
CVE-2019-25359 1 Sitzungsdienst 1 Sd.net Rim 2026-04-15 8.2 High
SD.NET RIM versions before 4.7.3c contain a SQL injection vulnerability that allows attackers to inject malicious SQL statements through POST parameters 'idtyp' and 'idgremium'. Attackers can exploit this vulnerability by crafting specially formed POST requests to the /vorlagen/ endpoint, enabling unauthorized database manipulation and potential information disclosure.
CVE-2020-37106 1 Bdtask 1 Business Live Chat Software 2026-04-15 5.3 Medium
Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with administrative access parameters.
CVE-2019-20460 1 Epson 1 Xp-255 2026-04-15 8.8 High
An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. POST requests don't require (anti-)CSRF tokens or other mechanisms for validating that the request is from a legitimate source. In addition, CSRF attacks can be used to send text directly to the RAW printer interface. For example, an attack could deliver a worrisome printout to an end user.
CVE-2025-13970 1 Openplcproject 1 Openplc V3 2026-04-15 8 High
OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack due to the absence of proper CSRF validation. This issue allows an unauthenticated attacker to trick a logged-in administrator into visiting a maliciously crafted link, potentially enabling unauthorized modification of PLC settings or the upload of malicious programs which could lead to significant disruption or damage to connected systems.
CVE-2023-7065 1 Wordpress 1 Wordpress 2026-04-15 5.4 Medium
The Stop Spammers Security | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.4. This is due to missing or incorrect nonce validation on the sfs_process AJAX action. This makes it possible for unauthenticated attackers to add arbitrary IPs to the plugin's allowlist and blocklist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-22438 2026-04-15 3.5 Low
A potential security vulnerability has been identified in Hewlett Packard Enterprise OfficeConnect 1820 Network switches. The vulnerability could be remotely exploited to allow execution of malicious code.
CVE-2018-25150 1 Ecessa 2 Shieldlink Sl175ehq, Shieldlink Sl175ehq Firmware 2026-04-15 5.3 Medium
Ecessa ShieldLink SL175EHQ 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a hidden form to add a superuser account by tricking a logged-in administrator into loading the page.
CVE-2018-25151 1 Ecessa 1 Wanworx Wvr-30 2026-04-15 4.3 Medium
Ecessa WANWorx WVR-30 versions before 10.7.4 contain a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft a malicious web page with a hidden form to create a new superuser account by tricking an authenticated administrator into loading the page.
CVE-2018-25152 1 Ecessa 1 Edge Ev150 2026-04-15 5.3 Medium
Ecessa Edge EV150 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a form that submits requests to the /cgi-bin/pl_web.cgi/util_configlogin_act endpoint to add superuser accounts with arbitrary credentials.
CVE-2024-7422 1 Wordpress 1 Wordpress 2026-04-15 4.3 Medium
The Theme My Login plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.1.7. This is due to missing or incorrect nonce validation on the tml_admin_save_ms_settings() function. This makes it possible for unauthenticated attackers to update the theme's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Please note that this only affects multi-site instances.
CVE-2023-51416 1 Wordpress 1 Wordpress 2026-04-15 6.5 Medium
Cross-Site Request Forgery (CSRF) vulnerability in EnvialoSimple EnvĂ­aloSimple.This issue affects EnvĂ­aloSimple: from n/a through 2.2.
CVE-2025-48111 2 Wordpress, Yithemes 2 Wordpress, Yith Paypal Express Checkout For Woocommerce 2026-04-15 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in YITHEMES YITH PayPal Express Checkout for WooCommerce allows Cross Site Request Forgery. This issue affects YITH PayPal Express Checkout for WooCommerce: from n/a through 1.49.0.
CVE-2024-12170 1 Wordpress 1 Wordpress 2026-04-15 5.4 Medium
The ViewMedica 9 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.15. This is due to missing or incorrect nonce validation on the 'Viewmedica-Admin' page. This makes it possible for unauthenticated attackers to inject arbitrary SQL queries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-12383 2026-04-15 6.1 Medium
The Binary MLM Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the 'bmw_display_pv_set_page' function and insufficient input sanitization and output escaping of the 'product_points' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2020-37046 1 Adikiss 1 Sistem Informasi Pengumuman Kelulusan Online 2026-04-15 5.3 Medium
Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. Attackers can craft a malicious HTML form to submit admin credentials and create new administrative accounts without the victim's consent.